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(54) Privacy data escrow system and method 

(57) The privacy data escrow system (10) includes 
at least one data provider (12) having a plurality of pri- 
vacy data records of a plurality of persons. Each privacy 
data record is associated with a unique person identifier 
of a person, and each of the at least one data provider 
(12) having a unique data provider identifier associated 
therewith. An escrow agent (16) is in communication 
with the at least one data provider (12) and is operable 
to receive and store, from the at least one data provider 
(12), the plurality of person identifiers, and a plurality of 
unique scrambled person identifiers and data provider 
identifiers associated with each person identifier (14). A 
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database (20) is in communication with the at least one 
data provider (12) and is operable to receive and store, 
from the at least one data provider (12), the plurality of 
privacy data records, the plurality of scrambled person 
identifiers associated with the privacy data records, and 
the data provider identifiers (13). The database (20) is 
further operable to receive and store, from the escrow 
agent (16), a unique universal anonymous identifier to 
replace each scrambled person identifier (1 8) whereby 
each privacy data record stored in database is identifia- 
ble by a universal anonymous identifier. 
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Description 

[0001] This invention relates to computers and 
computer databases, and more particularly, to a privacy 
data escrow system and method. 
[0002] In today's computer age, nearly every 
human action leads to the generation, collection and 
storage of some data For example, a shopper's grocery 
or merchandise purchasing habits are collected at the 
checkout line and stored in databases for future market- 
ing or customer relation purposes. In some instances, 
sensitive personal data collection leads to privacy 
issues. For example, financial data are collected when- 
ever a customer applies for credit or a loan, and medical 
records are maintained for patients for insurance claim 
purposes. In the latter example, special concerns exist 
for employees whose employers maintain health care 
records of its employees. The challenge for employers 
is to maintain the confidentiality and privacy of 
employee health medical and claims data, while permit- 
ting access to the data for research, analysis, and, in 
some cases, targeted patient intervention. 
[0003] It has been recognised that it is desirable to 
provide a privacy data escrow system and method to 
maintain the confidentiality of sensitive personal data 
such as patient medical records. 
[0004] In one aspect of the invention, a privacy data 
escrow system includes at least one data provider hav- 
ing a plurality of privacy data records of a plurality of 
persons. Each privacy data record is associated with a 
unique person identifier of a person, and each of the at 
least one data provider having a unique data provider 
identifier associated therewith. An escrow agent is in 
communication with the at least one data provider and 
is operable to receive and store, from the at least one 
data provider, the plurality of person identifiers, and a 
plurality of unique scrambled person identifiers and data 
provider identifiers associated with each person identi- 
fier. A database is in communication with the at least 
one data provider and is operable to receive and store, 
from the at least one data provider, the plurality of pri- 
vacy data records, the plurality of scrambled person 
identifiers associated with the privacy data records, and 
the data provider identifiers. The database is further 
operable to receive and store, from the escrow agent, a 
unique universal anonymous identifier to replace each 
scrambled person identifier whereby each privacy data 
record stored in database is identifiable by a universal 
anonymous identifier. 

[0005] In another aspect of the invention, a privacy 
data escrow system includes at least one data provider 
having a plurality of privacy data records of a plurality of 
persons, each privacy data record being associated 
with a unique person identifier of a person, each of the 
at least one data provider having a unique data provider 
identifier associated therewith, the at least one data pro- 
vider being operable to scramble the person identifiers 
and generate unique scrambled person identifiers 



therefrom. An escrow agent is in communication with 
the at least one data provider and is operable to receive 
and store, from the at least one data provider, the plural- 
ity of person identifiers, the associated scrambled per- 

5 son identifiers, and the associated data provider 
identifier, the escrow agent being operable to generate 
a unique universal anonymous identifier for each scram- 
bled person identifier. A database in communications 
with the at least one data provider and is operable to 

10 receive and store, from the at least one data provider, 
the plurality of privacy data records, the plurality of 
scrambled person identifiers associated with the privacy 
data records, and the data provider identifier. The data- 
base is further operable to receive and store, from the 

15 escrow agent, a unique universal anonymous identifier 
to replace each scrambled person identifier whereby 
each privacy data record stored in database is identifia- 
ble by a universal anonymous identifier. 
[0006] In yet another aspect of the invention, a 

20 method of maintaining the confidentiality of privacy data 
includes the steps of associating a unique person iden- 
tifier with each privacy data record, scrambling the 
unique person identifier and generating a scrambled 
person identifier, transmitting the privacy data record 

25 and the scrambled person identifier to a database for 
storage, and transmitting the person identifier with its 
associated scrambled person identifier to an escrow 
agency for confidential safekeeping. The escrow 
agency then generates a universal anonymous identifier 

30 for each person identifier and scrambled person identi- 
fier, and transmits the universal anonymous identifier 
and its associated scrambled person identifier to the 
database. 

[0007] The present invention will now be described 
35 further, by way of example, with reference to the accom- 
panying drawings, in which: 

FIGURE 1 is a simplified data flow diagram of an 
embodiment of the privacy data escrow system and 
40 method according to the teachings of the present 
invention; and 

FIGURE 2 is a more detailed numerical data flow 
example of an embodiment of the process of sepa- 
rating and scrambling person identifiers from the 
45 data according to the teachings of the present 
invention. 

[0008] FIGURE 1 is a simplified data flow diagram 
of an embodiment of the privacy data escrow system 

so and method 10 according to the teachings of the 
present invention. Privacy data escrow system 10 
obtains sensitive or confidential data from one or more 
sources or data providers 12. Data providers 12 may be 
persons, entities, organisations, or companies that has 

55 possession of the sensitive data. A data provider 12 
may or may not have collected the data itself. In the 
patient medical records example described above, data 
providers 12 may be employee health insurance carri- 
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ers, and the medical records typically include a person 
identifier such as the social security number of the 
patient The medical records may further contain other 
person identifiable attributes such as name, work and 
home addresses, work and home phone numbers, and 
like information. The sensitive data may be insurance 
claims, clinical records, pharmacy records, occupa- 
tional health information, worker's compensation infor- 
mation, financial information, personnel information and 
other data. However, sensitive and confidential data of 
another nature, may be protected by system 10 in the 
same manner. 

[0009] Prior to releasing the sensitive data, data 
provider 1 2 separates the person identifier from the rest 
of the data and scrambles the person identifier. Any 
data scrambling, encoding or encryption algorithm may 
be used. The scrambling algorithm may even be a ran- 
dom number generator which uses the person identifier 
as the seed number. Data provider 12 then transmits or 
sends a data feed of the data with the scrambled person 
identifier and a data provider identifier (1 3) to a data- 
base, data management system, or data warehouse 20 
for data storage. The sensitive data stored in database 
20 is therefore associated only with a data provider 
identifier and a scrambled person identifier. Data pro- 
vider 12 also transmits the scrambled person identifier 
and the associated person identifier along with the data 
provider identifier (14) to a trusted escrow agent 16 for 
safe keeping. Other person identifiable attributes which 
may be used to identify the person are also transmitted 
to escrow agent 16. Escrow agent 16 therefore pos- 
sesses a mapping of the scrambled person identifier to 
the person identifier and other person identifiable 
attributes. The mapping information may be repre- 
sented in the form of a table. 

[0010] Escrow agent 16 then generates a unique 
universal anonymous identifier for each person identi- 
fier. This universal anonymous identifier is transmitted 
along with the associated scrambled person identifier 
and data provider identifier to a database 20. Database 
20 thus has sufficient information to map or otherwise 
associate the scrambled person identifiers to the corre- 
sponding universal anonymous identifiers, but not to the 
person identifiers. In fact, database 20 does not pos- 
sess any data on the person identifiers or any other data 
attributes that can be used to identify the person. The 
universal anonymous identifier is used to reference all 
data related to a specific person regardless of the iden- 
tity of the data source or data provider 12. Therefore, 
each person may be referenced by a unique universal 
anonymous identifier in database 20 without compro- 
mising the confidentiality of the data. 
[001 1 ] FIGURE 2 is a more detailed numerical data 
flow example of an embodiment of the process of sepa- 
rating and scrambling person identifiers from the data 
according to the teachings of the present invention. The 
data shown are merely for demonstration purposes and 
do not resemble actual data. 



[0012] Data provider 12 may be a health insurance 
carrier which has an identifier of "BC11BS," for exam- 
pie. Each data provider 12 in system 10 are uniquely 
identifiable by a data provider identifier. Data provider 

5 12 has a set of original claims data related to a person 
identified by person identifier "31313," for example. Typ- 
ically, the original claims data also includes other per- 
son identifiable attributes, such as name, address, 
phone number, etc. The original claims data in posses- 

io sion by data provider 1 2 may also include a diagnosis 
code ("2003"), a procedure code ("J123"), other claims 
data ("kimnop"), and other assorted data ("qrstuv"). 
Data provider 12 then applies a scrambling algorithm to 
methodically alter the person identifier, so that it is now 

75 "907432". The scrambled person identifier is unique to 
each person identifier or person. The scrambled person 
identifier is transmitted or fed to database 20 with the 
data provider identifier and the remaining data (for 
example, diagnosis code, procedure code, other claims 

20 data, and other data). Only the person identifier is 
scrambled or altered from the original. The data is typi- 
cally transmitted electronically to database 20 via a data 
feed or EDI (electronic data interchange). 
[0013] Data provider 12 also transmits to escrow 

25 agency 16 the same scrambled person identifier 
("907432"), the data provider identifier ("BC1 1 BS"), the 
original unscrambled person identifier ("313131"), and 
all other person identifiable attributes. Using this infor- 
mation, escrow agency 1 6 either creates a new univer- 

30 sal anonymous identifier ("39863211") if the person is 
new in the system, or looks up the universal anonymous 
identifier previously assigned to the person. Escrow 
agent 16 then transmits the mapping from the universal 
anonymous identifier to the scrambled person identifier 

35 to database 20. The data provider identifier may also be 
sent to database 20. The universal anonymous identi- 
fier is substituted for the scrambled person identifier in 
database 20. Once substituted, all data belonging to a 
person stored in database 20 are identified by or asso- 

40 dated with the same unique universal anonymous iden- 
tifier. 

[0014] It may be seen that the linking or mapping 
from the universal anonymous identifier to the person 
identifier provides the key to unlock the anonymity of the 

45 data stored in database 20. This key relationship is held 
in confidence by trusted escrow agency 16 and is kept 
separate from the data itself stored in database 20. 
Without the key relationship, the data in database 20 
cannot be linked to any person. 

so [0015] Returning to FIGURE 1, the data in data- 
base 20 may be accessed by study teams 22 for analy- 
sis, research or other purposes. Database inquiries 24 
to database produces non-person identifiable data 26 
accessed by study teams 22. If for some reason, mem- 

55 bers of the study team believes that intervention is 
required or desirable, then a proposal 28 is made to an 
independent review board 30. The proposal provides a 
list of one or more universal anonymous identifiers, a 
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suggested intervention method or intervention instruc- 
tions, and evidence supporting the need for the inter- 
vention. Independent review board 30 evaluates 
proposal 28 and makes a decision whether the pro- 
posed intervention should be made. If intervention is 5 
deemed appropriate, independent review board 30 
assigns a unique case number to the intervention and 
transmits the case number with the intervention instruc- 
tions to a certified intervention agent 34. Independent 
review board 30 also sends the case number with the w 
universal anonymous identified(s) to escrow agency 1 6. 
Escrow agency 1-6, upon receipt of the case number 
and i/niversal anonymous identifier(s), sends the per- 
son identifier(s) and other person identifiable attributes 
associated with the received universal anonymous iden- 15 
tifier(s) to intervention agent 34. Intervention agent 34 
now has the person identifiers) and person identifiable 
attributes along with the intervention instructions. Inter- 
vention agent 34 is then able to contact (42) persons 44 
as instructed. The intervention method may be tele- 20 
phone calls, written correspondence, physician contact, 
or any other suitable means. Intervention agent 34 may 
be an automated process that receives and executes 
intervention instruction commands from independent 
review board to automatically prepare a letter or some 2 s 
form of communication for contacting the person. It may 
be seen that in this procedure, intervention agent 34 
does not have access to any data other than person 
identifiers and intervention instructions, and study 
teams 22 do not have access to any data other than the 30 
anonymous data records. 

[0016] It is preferable, in order to achieve and main- 
tain security and integrity of system 10, that all entities 
operate independently from one another. For example, 
if the system deals with employee medical insurance 35 
claim data, independent review board 30, escrow 
agency 1 6, and intervention agent 34 are preferably not 
related entities of the employer and are able to function 
independently therefrom. Further, escrow agent 16 is 
required to safeguard the mapping tables between the 40 
universal anonymous identifiers and person identifiers 
and not release this information to persons or entities 
without the proper credentials. Additionally, whenever 
data is electronically transferred via a network, it is pref- 
erable that data encryption techniques be used to 45 
ensure confidentiality of the data. The data are typically 
housed in databases such as relational databases, 
object-oriented databases, relational object-oriented 
databases and the like. 

[0017] It is contemplated by the teachings of the so 
present invention to apply system 1 0 to any data of a 
sensitive confidential nature, such as medical health 
records, medical claim records, pharmacy records, clin- 
ical records, lab test results, occupational health infor- 
mation, worker's compensation information, personnel 55 
information, genetic information, and personal financial 
data. 

[0018] Although several embodiments of the 



present invention and its advantages have been 
described in detail, it should be understood that muta- 
tions, changes, substitutions, transformations, modifica- 
tions, variations, and alterations can be made therein 
without departing from the teachings of the present 
invention. 

Claims 

1 . A privacy data escrow system, comprising: 

at least one data provider (12) having a plural- 
ity of privacy data records of a plurality of per- 
sons, each privacy data record being 
associated with a unique person identifier of a 
person, each of the at least one data provider 
having a unique data provider identifier (13) 
associated therewith; 

an escrow agent (16) in communication with 
the at least one data provider (12) and opera- 
ble to receive and store, from the at least one 
data provider (12), the plurality of person iden- 
tifiers and a plurality of unique scrambled per- 
son identifiers each having a one-to-one 
relationship with one of the plurality of person 
identifiers, and data provider identifiers associ- 
ated with each person identifier; and 
a database (20) in communication with the at 
least one data provider (12) and operable to 
receive and store, from the at least one data 
provider (12), the plurality of privacy data 
records, the plurality of scrambled person iden- 
tifiers associated with the privacy data records, 
and the data provider identifiers, the database 
(20) further operable to receive and store, from 
the escrow agent (16), a unique universal 
anonymous identifier to replace each scram- 
bled person identifier whereby each privacy 
data record stored in database is identifiable by 
a universal anonymous identifier. 

2. A system as claimed in claim 1 , wherein the escrow 
agent comprises a mapping table associating the 
plurality of person identifiers with the universal 
anonymous identifiers. 

3. A system as claimed in claim 1 , wherein the privacy 
data record comprises medical insurance claim 
data. 

4. A system as claimed in claim 1 , wherein the privacy 
data record comprises occupational health data. 

5. A system as claimed in claim 1 , wherein the privacy 
data record comprises worker's compensation 
data. 

6. A system as claimed in claim 1 , wherein the privacy 
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data record comprises electronic medical record, 
clinical data, pharmacy data and medical data. 

7. A system as claimed in claim 1 , wherein the at least 
one data provider comprises a data scrambler 5 
operable to scramble the person identifier and gen- 
erate the scrambled person identifier. 

8. A system as claimed in claim 1, further comprising 

an intervention agent in communication with the 10 
escrow agent and operable to receive a person 
% identifier therefrom and performing intervention 
with the person identified by the person identifier. 

9. A system as claimed in claim 1 , further comprising: is 

a study team operable to access the privacy 
data record stored in the database and gener- 
ating proposed interventions; 
an independent review board operable to 20 
review and authorise the proposed interven- 
tions, the independent review board assigning 
a case number to an authorised intervention; 
the escrow agent receiving the intervention 
case number and at least one universal anony- 25 
mous identifier associated with the authorised 
intervention; and 

an intervention agent operable to receive the 
intervention case number and authorised inter- 
vention from the independent review board and 30 
further receive, from the escrow agent, at least 
one person identifier associated with the inter- 
vention case number. 

10. A method of maintaining the confidentiality of pri- 35 
vacy data, comprising: 

associating a unique person identifier with 
each privacy data record; 

scrambling the unique person identifier and 40 
generating a scrambled person identifier; 
transmitting the privacy data record and the 
scrambled person identifier to a database for 
storage; 

transmitting the person identifier with its asso- 45 
ciated scrambled person identifier to an escrow 
agency for confidential safekeeping; 
generating, by the escrow agency, a universal 
anonymous identifier for each person identifier 
and scrambled person identifier, and transmit- so 
ting the universal anonymous identifier and its 
associated scrambled person identifier to the 
database. 

55 
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CLAIMS DATA 

•CARRIER I0ENTIFIER*8C118S 
•SCRAMBLED IDENTIF1ER-907432 
•DIAGNOSIS CODE-2003 s?\ 
•PROCEDURE C0DE-J123 
•OTHER CLAIM DATA>Umnop 
•OTHER DATA-qrstu* 



DATA PR0VIDER-8C11BS 
ORIGINAL CLAIMS DATA 
•PERSON IDENTIFIERS 31 J 
•DIAGNOSIS COOE-2003 
•PROCEDURE C0DE=J123 
•OTHER CLAIM OATA-Umnop 
•OTHER OATA-qrstuv 




DATA WAREHOUSE 
WAREHOUSE CLAIMS DATA 
•WAREHOUSE lDENTlFiER=398632n 
•DIAGNOSIS C0DE»2003 
•PROCEDURE C00E-J123 
•OTHER CLAIM DATA-klmnop 
•OTHER DATA-qrstuv 



IDENTIFIER DATA or- " 

•CARRIER I0ENTIFIER-BC11BS 
•SCRAMBLED IOENTIFIER-907432 
•PERSON IDENTIFIER-31313 
•PERSON IDENTIFIABLE ATTRIBUTES 
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MAPPING DATA 
•CARRIER IDENTIFIERS IBS 
•OTHER DATA SOURCE IDENTIFIERS 
•SCRAMBLED IDENT1FIER=907432 
•WAREHOUSE I0CNT1F1ER-3986321 1 



ESCROW AGENCY 
PERSON IDENTIFIERS 
•WAREHOUSE IDENTIFIER* 398632 1 1 
•CARRIER IDENTIF1ER-BC1 IBS 
•SCRAMBLED IDENTIFIER-907432 
•PERSON IDENTIFIER-31313 
•PERSON IDENTIFIABLE ATTRIBUTES 
•OTHER DATA SOURCE IDENTIFIERS 
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